Download PDF Version

Table of Contents

• Legislative Landscape
• Tracking reports, features and collective action

Legislative Landscape

CISPA dead again

This month, the controversial cybersecurity information sharing bill CISPA passed the United States House of Representatives, but was shelved by the Senate, in a repeat of 2011’s events when CISPA was initially deliberated. This came after numerous social media campaigns by advocacy groups, lobbying by industry, and a veto threat by the Obama administration. The bill sought to make it easier for private organizations to share information with the United States government about suspected “cyber threats”. Perceived problems with the bill included the prioritization of military control of cyber threat information over more transparent civilian agencies, immunity from any damages that arise out of “hacking back” against perceived threats, and the circumvention of existing privacy protections when providing personal information related to broadly-defined cyber threats to the government.

U.S. warrantless surveillance program highlighted

Celebrations by advocacy groups after the demise of CISPA may have been bittersweet as documents recently obtained by the Electronic Privacy Information Center reveal that even without a law such as CISPA, the U.S. Justice department has been granting legal immunity to ISPs taking part in a cybersecurity pilot program to intercept communications on portions of their networks without court authorization. This practice would have been formalized by CISPA if it became law. An executive order by President Obama requires Homeland Security to expand this data sharing program to all critical infrastructure sectors.

IRS warrantless email snooping

Documents obtained by the American Civil Liberties Union (ACLU) suggest that the criminal investigative unit within the IRS has obtained emails from service providers without a warrant, contrary to the 2010 Warshak court ruling that decided email can be protected under the U.S. constitution from unreasonable search and seizure. Following the ruling, the ACLU documents suggest that the IRS has continued to obtain such emails. The IRS responded shortly thereafter, denying that it uses emails to “target taxpayers”. After pressure from the U.S. Senate to clarify its practices, IRS Acting Commissioner Steven Miller stated that to his knowledge, the IRS has not obtained electronic communications without a warrant, which contradicts information in the obtained documents. Miller further stated the IRS will clarify its policies in the future.

ECPA Amendment to restrict warrantless access to emails proposed

A new U.S. Senate bill to amend the Electronic Communications Privacy Act (ECPA) would require law enforcement to obtain a warrant before compelling service providers to release the contents of users’ electronic communications. ECPA currently permits warrantless access to previously-opened emails and those over 180 days in age, practices that would no longer be allowed except in emergency situations under the amended Act. Advocacy groups have been calling for modernizing reforms to the 1986 Act for several years.

FBI pursuing real-time social media surveillance powers

During a talk for the American Bar Association, FBI general counsel Andrew Weissman discussed his view on the limits of the 1994 Communications Assistance for Law Enforcement Act (CALEA), which allows the government to compel ISPs and phone companies to install surveillance equipment on their networks. The law does not cover cloud services or email, rendering real-time surveillance of these platforms more difficult to achieve, especially for services utilizing end-to-end encryption — something the FBI would like to change. A proposed amendment to CALEA would allow the government to dole out escalating fines to service providers that do not comply with wiretap orders.

UK criticizes proposed EU “right to be forgotten” regulation

British officials have claimed proposed updates to the EU Data Protection Regulation that would create a so-called “right to be forgotten” will create unrealistic expectations about the reach of the policy. In practice, the proposed legislation would mandate online service providers to take reasonable steps to erase digital information pertaining to a user at that user’s request. Critics point out that such a right would not be as absolute as the title suggests, as the policy would need to be balanced with freedom of expression, scientific research, and other concerns. The UK Ministry of Justice also stated concerns about clauses in the proposal that would require data operators such as online service providers to take steps to manage third parties to delete data as needed, claiming it to be another of the scheme’s practical difficulties.

Back to top

Tracking reports, features and collective action

Reddit users dig up personal information of wrongfully accused

Social media website reddit.com met a significant amount of criticism for the “witch hunt” carried out by some of its users in response Boston marathon bombing. Reddit users collectively analyzed many photographs of the scene and “doxxed” individuals thought to be suspicious, unearthing social media profiles and other personal information. The New York Post later published those individuals’ photos on its front page, alleging they were suspects in the case. After the FBI came forward and dismissed the credibility of the photos, administrators of the site apologized for the incidents and noted that while it has a policy barring the publication of personal information, the policy had been ineffective. The events highlight that crowdsourced activities do not necessarily produce ideal results, though there are many examples of crowdsourced action helping manage crisis situations.

Google releases latest Transparency Report

Google’s Transparency Report for the latter half of 2012 indicates a continuation of the trend for increased requests to user data, and increased requests for content removal from governments. The report highlights the fact that 17 governments requested Google remove the controversial video “Innocence of Muslims”. A Google public policy blog post notes that this period saw a large increase in content removal requests from the Brazilian government, most of it pertaining to municipal elections and alleged defamation of political candidates. The report also reveals that total government requests for user data and content removals continue to increase, while Google’s compliance rate to such requests has been gradually declining, but remains slightly below 50 percent overall.

Facebook emoticons add structured data to posts

A new feature on the Facebook platform encourages users to select from a drop down of “emoticons” that suggest what you might be feeling, watching or eating at the moment. A blog post on Slate suggests that this feature is meant to enlist users in adding structured data points to the generally unstructured data of status updates, after natural language processing proved too challenging to execute reliably. The blog posits that this structured data will help Facebook to develop a more accurate profile of users and serve them more tailored ads.

Data brokers + Facebook

The Electronic Frontier Foundation recently published an in-depth look into how Facebook interacts with data brokers to serve targeted ads to its users. The report outlines how Facebook can target ads based on broker data without directly exchanging personal information, best practices for opting out of data broker programs and protecting yourself from third-party data collection. This comes as Facebook continues to describe its relationship with data brokers, which sees it leveraging information about its user’s offline behaviours and interests in order to build its partner categories service that enables advertisers to more efficiently target interest groups on the social network.

Back to top

Read previous editions of Social Media CyberWatch.

The post Social Media CyberWatch – April 2013 appeared first on The Citizen Lab.

The 2013 keynote speakers will be Ronald K. Noble, Secretary General of INTERPOL, Terry D. Kramer, Ambassador, Head of the US Delegation for the World Conference on International Telecommunications, Dubai, Michael Daniel, Cybersecurity Coordinator, The White House, Eugene Kaspersky, CEO and Co-founder, Kaspersky Lab, and Teresa M. Takai, Chief Information Officer, U.S. Department of Defense.

Read about the conference.

The post Director Ron Deibert participating in International Engagement on Cyber 2013 appeared first on The Citizen Lab.

Subscribe and receive Social Media CyberWatch in your inbox.

Table of Contents

• Prominent Privacy Research Findings
• Legislative Updates & Responses
• Service Provider Landscape

Prominent Privacy Research Findings

New research identifies users from limited data points

A new study published in Scientific Reports demonstrates that only four data points unique to a particular time and place are enough to uniquely identify almost any individual. Data from over 1.5 million people were gathered from mobile devices to support these conclusions. The BBC reports the findings reveal that even if mobile numbers and other personal details were removed from data sets, the mobility information alone may be enough to trace back to a particular individual. This could pose a privacy risk if “anonymized” data sets were shared with third parties. Other recent social media research findings similarly show that such a small number of data points may identify a user. Another report found that Facebook ‘likes’ can form surprisingly accurate personal portraits. Among the researchers’ findings were that male sexuality can be identified with 88 percent accuracy, and U.S. political affiliation (whether Democrat or Republican) with 85 percent accuracy.

Research sheds light on why people don’t act according to their privacy wishes

A recently-published longitudinal study of privacy practices demonstrates that a sample of Facebook users had gradually become less likely to share their personal information publicly. This persisted until policy and interface changes by Facebook partially arrested the trend. Other findings from the same research team argues that the idea of treating privacy as a matter of understanding and control over one’s personal data may be a false comfort. Indeed, people often do not act in their stated best interest when making transactions involving their personal information. Furthermore, the researchers found that more detailed user control over how one’s personal information is used encourages people to share more sensitive information with larger audiences.

Back to top

Legislative Updates & Responses

Proposed CFAA revision sparks controversy

A recently-proposed revision to the U.S. Computer Fraud and Abuse Act (CFAA) that would  broaden its scope has met broad criticism from academics, advocacy groups, the popular press, many of whom criticize the current state of the law as overbroad. The 1986 Act criminalizes gaining unauthorized access to computer systems. A Los Angeles Times editorial argues that the act’s ambiguity as to what constitutes authorization makes it susceptible to abuse. For example, the prosecution of activist Aaron Swartz equated a violation of Terms of Service agreements with unauthorized access. The EFF notes that the proposed revision to the act would quadruple maximum jail sentences for the crimes Swartz was accused of. Meanwhile, law professor Eric Goldman argues the law has evolved from one meant to prevent malicious hacking to one that restricts general unauthorized access to intangible assets such as intellectual property. He proposes the CFAA and similar laws be amended to retain only restrictions on defeating security measures and denial-of-service attacks.

Service providers distance themselves from CISPA as petition campaigns gain traction

The revived Cyber Intelligence Sharing and Protection Act (CISPA) has faced criticism for its broad, ambiguous language that has been argued to create exemptions to privacy laws in the name of cybersecurity. A Wired editorial argues the law would facilitate the usage of personal information collected under the act for prosecutions of crimes unrelated to cybersecurity. In response to the revised act, a campaign to stop the bill organized by advocacy groups and activists seeks petition signatures to send to the U.S. Congress. Similarly, a petition on the White House website to stop the bill has reached over 100,000 signatures, enough to mandate a response from the Obama administration. Shortly thereafter, Facebook joined Microsoft in dropping its support for the bill, the former company citing privacy concerns. Both companies have stated they favour a more “balanced” approach to security and privacy.

Back to top

Service Provider Landscape

Google shutters another “quasi-public” service

Many users of Google Reader petitioned for it to be saved after the company announced it would be shutting down the service later this year. This is just the latest of a series of high-profile service discontinuations by the tech giant. The demise of Reader particularly frustrated those who use the service to bypass Internet censorship systems. The service has been used to evade many filtering systems because the Reader software tramsits websites securely via Google’s own servers (located in the U.S.), rather than directly from third party servers which may be blocked by censors. While other RSS services that operate in a similar technical manner as Google Reader, these services will face a challenge in replicating Reader’s success as a censorship-circumvention tool because a large part of Reader’s power arguably comes from people’s trust in Google’s brand.

Microsoft releases its first transparency report

Earlier this month, Microsoft released its first Law Enforcement Requests Report, similar to the “transparency reports” released by Google and Twitter. The report reveals that Microsoft complied with 79 percent of U.S. government requests for subscriber data and 83 percent of requests from non-U.S. governments in 2012. The report’s release follows the January publication of an open letter signed by many advocacy groups requesting Microsoft to clarify what information is stored when users communicate via Skype, and to make public any government requests for that data. Microsoft’s report treats Skype as a separate category, explaining in a blog post that Skype data was collected differently due to the fact that the service was only acquired by Microsoft in late 2011. Interestingly, the report claims that Skype did not provide any customer communications content in response to 4,713 total government requests for users data, although an undisclosed amount of transactional data (such as usernames, email accounts and billing information) was provided. Furthermore, the report does not directly respond to the demand raised in the open letter about Microsoft’s relationship with TOM Online, a Chinese company that distributes modified Skype software for the Chinese market that has been found to censor and surveill its users.

Facebook expands ad targeting to include offline purchases

Facebook recently announced a partnership with several data brokers to incorporate their consumer data into the Facebook ad-targeting platform. The social media platform is now working with Datalogix, Epsilon, Acxiom, and BlueKai, companies that gather information about users through online cookies as well as through offline sources sucha as supermarket loyalty cards. Profiles assembled by brokers typically start with a name, address, and contact information, then add demographic information, hobbies, life-events, salary and more. The EFF has posted a guide on how to opt-out of these data brokers to ‘suppress’ your information from certain uses, which may or may not include sharing the information with Facebook.

Back to top

Read previous editions of Social Media CyberWatch.

The post Social Media CyberWatch – March 2013 appeared first on The Citizen Lab.

For several weeks, it has been difficult to open a newspaper or watch a Sunday talk show without hearing about the advent of “cyber war.” The media has been filled with an avalanche of cyber threat-related stories: the hacking of leading newspapers, evidence of Chinese government involvement in intellectual property theft, and now, further distributed denial of service attacks against U.S. banks. All these events present real and serious national security challenges. But cyber-espionage, cyber-crime and the malicious disruption of critical infrastructure are not the same as war, and the distinction is important.

The idea that America is in the middle of a “cyber war” isn’t just lazy and wrong. It’s dangerous. The war analogy implies the requirement for military response to cyber intrusions. America genuinely needs effective civilian government cyber defense organizations with strong relationships with the private sector and the active engagement of an informed general public. Creating and even promoting the fear of “cyber war” makes that more difficult. Here’s why:

First, while the U.S fights its wars using the highly-trained professional within the U.S. Armed Forces, defending against cyber threats does not necessary require military expertise or prowess. True, most private individuals and corporations lack the knowledge and training needed to fight off attacks from elite Chinese, Iranian and Russian cyber “warriors.” As a result, there is and will continue to be a pressing need for highly qualified information security experts to help defend the larger U.S. cyber landscape. Nonetheless, there are relatively simple ways to make it more difficult for the bad guys without escalating to a “war” standing. In 2011, the Australian Defence Signals Directorate (their equivalent of the U.S. National Security Agency) showed that by taking just four key measures–“whitelisting” (i.e., allowing only authorized software to run on a computer or network), very rapid patching of applications and of operating system vulnerabilities, and restricting the number of people with administrator access to a system–85 percent of targeted intrusions can be prevented. These might appear more like prophylactic public health measures than warfare–and that’s the point. The United States does not need to declare “war” and call up the military to fend off cyber threats.

For the full article, see here.

The post Why the U.S. is not in a cyber war appeared first on The Citizen Lab.

America’s generals and spymasters have decided they can secure a better future in cyberspace through, what else, covert warfare, preemptive attacks, and clandestine intelligence. Our rivals are indeed seeking to harm U.S. interests and it is perfectly within the president’s purview to use these tools in response. Yet this is an unwise policy that will ultimately backfire. The undoubted, immediate national security advantages will be at the expense of America’s longer-term goals in cyberspace.

The latest headlines on covert and preemptive cyberplans highlight just the latest phase of a cyber “cult of offense” dating back to the 1990s. Unclassified details are scarce, but the Atlantic Council’s study of cyber history reveals covert plans, apparently never acted upon, to drain the bank accounts of Slobodan Milosevic and Saddam Hussein. More recent press accounts detail cyber assaults on terrorist networks (including one that backfired onto U.S. servers) and Stuxnet, which destroyed Iranian centrifuges. American spy chiefs say U.S. cyber capabilities are so prolific that this is the “golden age” of espionage, apparently including the Flame and Duqu malware against Iran and Gauss, which sought financial information (perhaps also about Iran) in Lebanese computers.

Offensive cyber capabilities do belong in the U.S. military arsenal. But the continuing obsession with covert, preemptive, and clandestine offensive cyber capabilities not only reduces resources dedicated for defense but overtakes other priorities as well.

For the full article, see here.

The post Obama’s cyberwarfare strategy will backfire appeared first on The Citizen Lab.

Last week, after the Washington Post reported that numerous Washington institutions in and outside government have experienced hacking attributed to China, the Post’s excellent political writer Ezra Klein had this unfortunate foray into commentary on Chinese elite politics:

The Chinese look at Washington, and they think there must be some document somewhere, some flowchart saved on a computer in the basement of some think-tank, that lays it all out. Because in China, there would be. In China, someone would be in charge. There would be a plan somewhere. It would probably last for many years. It would be at least partially followed. But that’s not how it works in Washington.

Coming at these events from a Washington perspective has led to some conceptual and factual assumptions that are emblematic of wider misperceptions of the US relationship with China.

Problem number one: who exactly are “the Chinese” in this paragraph? The charitable interpretation of this usage is that “the Chinese” here means “the Chinese government”, but I doubt a sophisticated commentator such as Klein would so comfortably refer simply to what “the Americans” think.

The less charitable interpretation is that Klein is using an old-fashioned, essentialising term as a crutch for lack of more detailed knowledge of the splits, divides and diversities of the fifth of the human population living in the People’s Republic of China. “The Chinese” appears as a collective noun in this short piece seven times. (A similar “silly Chinese!” piece in Foreign Policy resorts to this usage five times.)

For the full article, see here.

The post Chinese cyberwar and the US ‘myth of scheming’ appeared first on The Citizen Lab.

“There’s no cyberwar without a real war,” argues cryptographer Bruce Schneier. Yet some sort of cyberconflict with China is afoot. After the U.S. Air Force asked, I considered what a cyberwar, with some real shooting, might look like between the United States and China. In it, I thought cyber-arms would blind, cripple and confuse, but missiles, bombs and torpedoes would do the killing. That will likely change.

News of cyber-attack is omnipresent. But in answering the question of what makes a cyber-attack an act of war, remember that in computer science such attacks are no more than attempts to subvert the function of a system. Compromising a system to steal data, rob property or blow up an oil refinery are all attacks, but only the last of them would likely be considered an act of war or terrorism. We have a lexical problem.

As for rules of engagement, that’s for lawyers interpreting the laws of armed conflict to consider. I see no clear universal redlines. As long as they work, countries and plenty of others will launch cyber-attacks that blur the differentiation between power of persuasion and hard coercive force in combinations of diplomacy, trade, covert action and military intervention. A friend suggested a term for placement of cyber-action across the spectrum of international affairs: shoft (mostly soft, but with some hard elements). Most soft U.S. cyberpower is in Silicon Valley. But there is a growing area of cyber-action with physical ramifications in other places — see Stuxnet and Shamoon.

For the full article, see here.

The post Hacking isn’t cyberwar, for now appeared first on The Citizen Lab.

Two decades after computer security began generating billions by selling expertise and software designed to protect unwanted network intrusions, experts say those networks are more vulnerable than ever. Florida-based Internet security firm Cymru said in a report released today, shared exclusively with The Verge, that analysts there uncovered a massive overseas hacking operation that is making off with a terabyte of data per day. Some of the victims include military and academic facilities and a large search engine. The report doesn’t identify who might be behind the attacks, but Cymru director Steve Santorelli conceded that, given the amount of resources behind the attacks, it is obvious the group is state-sponsored. “This is Internet theft on an industrial level,” said Santorelli, a former detective with Scotland Yard.

The United States is under siege. Cymru’s report follows on the heels of similarly damning research issued last week by security firm Mandiant, a document that could be read as an indictment of the entire cyber-security sector. Mandiant detailed how a group of cyber commandos employed by China has electronically raided the computer networks of hundreds of American companies over several years to pilfer precious trade secrets. In a story about the Mandiant findings, The New York Times reported that Washington now believes China also has the ability to use the internet to sabotage water supplies, shut down power stations and hobble our financial system.

For the full article, see here.

The post State-sponsored hackers steal more than a terabyte of data per day, says new report appeared first on The Citizen Lab.

• Legislative Updates
• Personal Information & Obscurity
• Cookies & Tracking

Legislative Updates

A variety of lobbyist battles, legislative deaths and rebirths, as well as a presidential executive order all brought new changes to social media and online privacy realms this month.

Lobbying frenzy in wake of proposed EU privacy changes

Proposed changes to the EU Data Protection Regulation drew a variety of responses from privacy advocates amidst heavy lobbying from US companies against the initiatives. One proposed revision would create a “right to be forgotten” across all member states, requiring companies to delete a user’s data at their request. The proposals drew a variety of amendments, and advocacy group Europe v Facebook reported that 25% of the content of such amendments were directly copied from lobbyist papers. Additional criticism of the changes came from a US diplomat, who warned that if the proposals were passed, the resulting restrictions might provoke a trade war. These moves were preceded by statements from several privacy advocacy groups including the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU), who wrote to various United States government officials, arguing that the United States should not hinder the EU’s privacy-strengthening regulation. Meanwhile, representatives for US IT companies argued that prescriptive regulation hinders innovation and economic development.

CISPA re-introduction draws privacy criticism

The Cyber Intelligence Sharing and Protection Act (CISPA) was re-introduced this month, unchanged from last year’s version that was passed in the United States House of Representatives, but defeated in the Senate after an outcry from “tens of thousands of concerned individuals”. The Act is designed to set up a streamlined system for the private sector to report cyber threat information to federal agencies. In response to the re-introduced bill, the EFF launched an online petition urging lawmakers to oppose it. Concerned privacy advocates claim the Act’s broad language would allow organizations to disclose their customers’ personal information to the US intelligence community with little transparency, and expressed dissatisfaction that no substantive changes were introduced in the latest version.

Obama cybersecurity executive order elicits diverse responses

US President Obama issued an executive order entitled “Improving Critical Infrastructure Cybersecurity” which calls for improved cybersecurity information sharing between private entities and the government while maintaining privacy and civil liberties protections. Other key demands include a call for a frameworks to reduce cyber risks to critical infrastructure, develop a cybersecurity program to protect said infrastructure, and identify the infrastructure at greatest risk. Michigan’s Chief Security Officer Dan Lohrmann writes that the executive order has elicited a wide range of reactions. For example, security expert Eugene Kaspersky praised the order as a step in the right direction in the wake of increased cyber attacks on critical infrastructure. In contrast to their response to CISPA, privacy advocates have generally praised the executive order for its attempt to protect security while not diminishing privacy. However, critics claim the order does not account for the complex network of existing security frameworks in place and fails to provide any concrete solutions to current problems.

Canadian Internet surveillance bill killed

Canada’s controversial Internet Surveillance Bill C-30 was killed by the Harper government earlier this month, about a year after the bill’s controversial introduction, which saw Canadian Public Safety minister Vic Toews disparage opponents of the bill as supporters of child pornographers. The bill would have required digital service providers to install equipment that enabled authorities to engage in real-time monitoring of the digital activities of customers without court authorization. Vocal opponents of the bill, including Ontario’s Information and Privacy Commissioner Ann Cavoukian and Vancouver-based Internet advocacy group OpenMedia.ca, were delighted to see the bill’s demise.

Back to top

Personal Information & Obscurity

Facebook had a policy triumph in the wake of a challenge over German privacy law, while the inner workings of Google Play’s personal information disclosure to developers raised the ire of privacy advocates.

Facebook defeats German privacy challenge

Facebook defeated a legal challenge by a German privacy watchdog (ULD) over the social networking site’s policy that requires all users to register with their real names. While a ban on pseudonyms may breach German privacy law, the court ruled that as Facebook is technically headquartered in Ireland, the law did not apply. In response, a representative for the ULD argued that the ruling will encourage multinational tech companies to set up their headquarters in jurisdictions with the weakest data protection. While a unified online identity can be useful for commercial purposes, one commentator argues that pseudonyms reflect the nature of people’s fragmented online identities and help to encourage creative thought.

Google Play store provides user data to app developers

An Android application developer caused a stir when he revealed that Google sends him the email address, approximate location, and occasionally the full name of individuals who downloaded his application from the Play Store. A source familiar with Play Store operations claimed that this is intentional, and has always been their practice. As the Play Store was modelled on Apple’s App store, which does not disclose purchaser details to developers, critics are claiming that most users do not expect their personal information to be shared with anyone besides Google (whom purchasers may assume they are doing business with). Google’s main privacy policy is arguably broad enough to cover this type of sharing as being between “affiliates”, to whom personal information is provided.

Back to top

Cookies & Tracking

This month saw several notable developments in online tracking policy. These occurred in the diverse areas of international standards deliberations, web browser implementations, and social media user interaction design.

Will the Do Not Track standard resume development?

After development stalled due to bitter tensions between advertising industry and privacy advocates, the Do Not Track (DNT) web standard is said to be resuming its course, while others are less sure of its future. The working group in charge of the standard has reportedly agreed on a roadmap and several key requirements. The standard, which is already partially implemented in numerous web browsers, provides a way for browsers to inform servers that the user does not wish to be tracked. When the standard’s self-regulated development appeared to have stalled, the advocacy group Consumer Watchdog called on the Federal Trade Commission (FTC) to push for DNT legislation. While no proposed legislation has yet emerged, the resumed development does follow the release of the FTC’s mobile privacy report [PDF], which recommends an implementation of DNT for mobile browsers.

Firefox to block third-party cookies by default

Perhaps in response to the stalled Do Not Track development, an update to the popular Firefox web browser will see it blocking cookies from third-party URLs by default. This move will bring it in alignment with the Safari browser’s similar default setting. When a web browser displays a website, any cookies loaded from a different domain are treated as “third-party origin”. Typically, third-party cookies are used to track individuals across different websites and serve them ads tailored towards an interest profile, a practice known as Online Behavioural Advertising (OBA). Nevertheless, a web browser will still save third-party cookies if the browser visited that third-party in the past. Jules Polonetsky, a leading privacy expert, posits that the move may provide an opportunity for ad companies to be more explicit about how and why they track users, re-framing a practice that largely operates in the background.

Facebook re-targeted ads to adopt AdChoices icon

In response to pressure to be more transparent about its ad re-targeting program, Facebook is reportedly introducing the AdChoices icon to indicate when an advertisement is “re-targeted”, displayed to the user based on information collected about the his/her web browsing history. The disclosure is a step towards transparency, but is not an obvious one; the small icon will only appear alongside a re-targeted advertisement only after a user hovers over it. Jeffery Chester of the Center for Digital Democracy was not impressed by the move, arguing that merely informing users that an advertisement is targeted does not amount to disclosure of how that information is harvested in the first place.

Back to top

Read previous editions of Social Media CyberWatch.

The post Social Media CyberWatch – February 2013 appeared first on The Citizen Lab.

Cell phone searches are a common law enforcement tool, but up until now, the public has largely been in the dark regarding how much sensitive information the government can get with this invasive surveillance technique. A document submitted to court in connection with a drug investigation, which we recently discovered, provides a rare inventory of the types of data that federal agents are able to obtain from a seized iPhone using advanced forensic analysis tools. The list, available here, starkly demonstrates just how invasive cell phone searches are—and why law enforcement should be required to obtain a warrant before conducting them.

Last fall, officers from Immigration and Customs Enforcement (ICE) seized an iPhone from the bedroom of a suspect in a drug investigation. In a single data extraction session, ICE collected a huge array of personal data from the phone. Among other information, ICE obtained:

call activity
phone book directory information
stored voicemails and text messages
photos and videos
apps
eight different passwords
659 geolocation points, including 227 cell towers and 403 WiFi networks with which the cell phone had previously connected.

For the full article, see here.

The post New document sheds light on government’s ability to search iPhones appeared first on The Citizen Lab.